Exposures › CVE-2026-58123
Hermes WebUI before 0.51.788 allows unauthenticated remote code execution via terminal API endpoints.
This critical vulnerability enables attackers to execute arbitrary shell commands without authentication by exploiting the embedded terminal API, posing a severe risk to DIB systems relying on Hermes WebUI for remote management. Organizations must immediately patch to version 0.51.788 or later to prevent unauthorized command execution and potential data exfiltration.
Shame score — The vulnerability is unauthenticated and allows full command execution, but it is not zero-day and has been disclosed publicly, making it a high-severity but avoidable failure if patched promptly.
Hermes WebUI before 0.51.788 contains an unauthenticated remote code execution vulnerability that allows remote attackers to execute arbitrary shell commands by accessing the embedded terminal API endpoints without credentials. Attackers can create a session, attach a PTY shell, and write arbitrary commands through the terminal input endpoint to achieve full command execution as the server process user via four sequential unauthenticated HTTP requests.
No correlated FedRAMP products.